BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.^[1]^[2]^[3]

ID: S1068

ⓘ

Associated Software: ALPHV, Noberus

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux, Windows

Contributors: Hiroki Nagahama, NEC Corporation; Josh Arenas, Trustwave Spiderlabs; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India

Version: 1.0

Created: 28 February 2023

Last Modified: 15 June 2023

Associated Software Descriptions

Name	Description
ALPHV	^[1]^[3]
Noberus	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1047		Windows管理规范	BlackCat can use `wmic.exe` to delete shadow copies on compromised networks.^[1]
Enterprise	T1112		修改注册表	BlackCat has the ability to add the following registry key on compromised networks to maintain persistence: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanmanServer\Paramenters`^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	BlackCat can execute commands on a compromised network with the use of `cmd.exe`.^[1]
Enterprise	T1486		数据加密以实现影响	BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.^[1]
Enterprise	T1083		文件和目录发现	BlackCat can enumerate files for encryption.^[1]
Enterprise	T1222	.001	文件和目录权限修改: Windows File and Directory Permissions Modification	BlackCat can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.^[1]
Enterprise	T1489		服务停止	BlackCat has the ability to stop VM services on compromised networks.^[1]^[2]
Enterprise	T1069	.002	权限组发现: Domain Groups	BlackCat can determine if a user on a compromised host has domain admin privileges.^[1]
Enterprise	T1570		横向工具传输	BlackCat can replicate itself across connected servers via `psexec`.^[1]
Enterprise	T1548	.002	滥用权限提升控制机制: Bypass User Account Control	BlackCat can bypass UAC to escalate privileges.^[1]
Enterprise	T1561	.001	磁盘擦除: Disk Content Wipe	BlackCat has the ability to wipe VM snapshots on compromised networks.^[1]^[2]
Enterprise	T1070	.001	移除指标: Clear Windows Event Logs	BlackCat can clear Windows event logs using `wevtutil.exe`.^[1]
Enterprise	T1491	.001	篡改: Internal Defacement	BlackCat can change the desktop wallpaper on compromised hosts.^[1]^[2]
Enterprise	T1082		系统信息发现	BlackCat can obtain the computer name and UUID, and enumerate local drives.^[1]
Enterprise	T1490		系统恢复抑制	BlackCat can delete shadow copies using `vssadmin.exe delete shadows /all /quiet` and `wmic.exe Shadowcopy Delete`; it can also modify the boot loader using `bcdedit /set {default} recoveryenabled No`.^[1]
Enterprise	T1033		系统所有者/用户发现	BlackCat can utilize `net use` commands to discover the user name on a compromised host.^[1]
Enterprise	T1135		网络共享发现	BlackCat has the ability to discover network shares on compromised networks.^[1]^[2]
Enterprise	T1134		访问令牌操控	BlackCat has the ability modify access tokens.^[1]^[2]
Enterprise	T1087	.002	账号发现: Domain Account	BlackCat can utilize `net use` commands to identify domain users.^[1]
Enterprise	T1018		远程系统发现	BlackCat can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised networks.^[1]

Groups That Use This Software

ID	Name	References
G1015	Scattered Spider	Scattered Spider has deployed BlackCat ransomware to victim environments for financial gain.^[4]^[5]

BlackCat

Associated Software Descriptions

Enterprise Layer

Techniques Used

Groups That Use This Software

References